The cloud computing technological revolution is in progress, though undergoing some evolutionary changes. When an increasing number of individual users and businesses are moving their data and whole IT infrastructures to the cloud, it is natural to start wondering how secure this cloud computing data is.
Cloud computing is an approach that covers a wide spectrum of cloud tools and models. To be more specific, it is a mechanism that can be presented as a threefold system of software, platform, and infrastructure delivered as a service. The technology has a lot of potential and promises its users a boost in efficiency, agility, and profitability. The cloud offers many benefits but, like any other technology, it has its weaknesses. And one of its softest spots is security.
What is data security in cloud computing?
Essentially, security in the cloud does not differ much from the one in the traditional on-premise data centers. In both cases, the focus is on the issues of protecting data from theft, leakage or deletion.
Due to its nature, however, the cloud gets highly susceptible to security threats. Data that is stored with a third-party provider and accessed on the web does not sound too reliable. Besides, the more data is transferred to the cloud, the harder it is to maintain its integrity, which is the basic requirement lying behind data security. In fact, the cloud allows operating at scale and still staying true to data integrity. But ensuring that the cloud is secure takes a multitude of security measures surpassing the number of those taken within the area of traditional IT security. So, with cloud computing, you will have to keep an eye open for new areas of concern.
Another issue to think about is your cloud service provider. Basically, you as a data owner don’t take full responsibility for cloud security. So, yet in the beginning, you should ask yourself if a cloud services provider of your choice is ready to take all the appropriate security measures.
Top security risks of cloud computing
The cloud has its beneficial power but if you have a strong mind to migrating to the cloud, take a focused security approach, review and determine what changes will be needed for your future cloud operations to remain secure. Otherwise, you may find yourself in a position where you have no control over your data. These are the primary risks associated with cloud computing that you must thoroughly analyze in the first place:
- Data loss.
- Compromised accounts.
- Malware infection.
- Regulatory violations.
- Insider threats.
1. Data loss.
Cloud Adoption and Risk Report by McAfee discovered that 21% of files in the cloud contained sensitive data. Obviously, it is very undesirable that it gets lost. One of the biggest fears is losing data at rest, in-transit, or on endpoints. As the security breach may involve the theft of confidential data, the cloud security breach may cause the loss of sensitive data, So, data loss prevention must constitute a key part of the data management strategy. Although the loss of data in the cloud is less likely, it still may happen to anyone. To substantiate the statement, we will give you an example. GitLab, a successfully growing startup that provides release automation services had some security “hiccups” in early 2017. As a result of the admin’s fault, 300 GB of user data was lost. Though some of it was then restored from a backup database, the other part was gone forever. So, it will never hurt to take some extra measures and consider addressing back-up and disaster-recovery services providers.
2. Compromised accounts.
Cloud account hijacking as a process of compromising or stealing individual or organizational cloud accounts is another risk a user may face. Cloud computing consists of distributed systems of diverse networked devices with a variety of connectivity and as a result, these cloud networks are vulnerable to network attacks. Thus, hackers can monitor and manipulate data by stealing account credentials with weak vulnerability. The password-key compromise can also happen through hackers’ guessing a weak password, phishing or spoofing attack.
Cases of personal data like marketing data, health records, election data and more being compromised are not that rare. Thus, the industry giant Amazon Web Services that offers cloud computing services has fallen victim to an attack. Hackers logged into Uber’s AWS account, gained access to their private GitHub repository and downloaded personally identifiable data of app users. Though appropriate steps to strengthen controls on Uber’s cloud-based storage accounts were taken immediately, the company’s reputation was deteriorated anyway.
3. Malware infection.
The cloud not only offers scalability and speed in handling data but also allows delivering super scalable malware very fast. And malware authors are always looking for new ways to infect. The cloud has recently become this new way, as cloud apps are a great asset for spreading malicious attacks on a large scale. For instance, there was a case when malware was received via email as a resume file and, after having been moved to a folder that synced with a cloud app, it was delivered to other users. So, instead of infecting one device, it easily spread to cause greater harm.
Though cloud apps are rarely directly infected with malware and data running on virtualized hardware is less likely to have vulnerabilities potentially leading to an attack, it still may happen. Malicious actors infect the cloud with the viruses that are responsible for bringing harm to cloud systems like hijacking accounts and more. The most common outcome of such attacks is the theft of data from a cloud application or data hosted in cloud infrastructure. Another example is a “fan-out” effect which means that malware infects one user’s device and is spread further through cloud services quickly.
4. Regulatory violations.
Most companies have to operate under certain regulations now. This compliance is usually a pillar of security in the cloud. Under HIPAA and HITECH for private or sensitive health information, FERPA for confidential student records, and GDPR for personal data relating to data subjects in the European Union (EU) to name a few, companies should know where their data is stored, who has access to it and what measures are taken to protect it properly. A cloud service provider is a third party that upon receiving data for processing becomes liable for the appropriate care of it. So, before cloud services can be used by organizations processing personal information, a risk analysis should be performed and risk management policies must be established. Thus, St. Elizabeth’s Medical Center that used a cloud-based file-sharing application without ensuring they handle data compliant with HIPAA put their clients’ personal data at risk and paid $218,400 fine for it.
5. Insider threats.
The human element of data security has many faces and many sources. Sometimes, insiders can pose more of a threat to companies using the cloud than attacks from the outside. This kind of threat can both have malicious and careless nature. One way or another, this harm is easier to do as attackers do not have to break in, they are already inside. User error and resulting data leakage or loss are not the worst part. The rogue insider is what companies should be prepared for. Especially, when the cloud has expanded the scope of insider threat by offering more ways to access data. No company wants to believe they may have a rogue employee on their payroll. That is why insider-threat risks are usually related to a lack of control. Therefore, organizations should establish and keep evolving their data security policies to minimize the risk.
How to safeguard data in the cloud?
It seems a lot to handle and providing complete security in cloud computing may start turning into a complex task. But no worries here! Cloud computing remains a modern technology with its numerous advantages. In order to enjoy them all, you just have to take as many cloud security measures as possible. Thus, we advise you to consider these four steps when working with the cloud:
- Data encryption.
- Access control and strong authentication.
- Separate data.
- Avoid storing sensitive and high-value data.
1. Data encryption.
Comprehensive encryption at the file level must form the foundation of your cloud security efforts. Although cloud service providers and third-party cloud security software vendors may offer tools for protecting your data, users must be responsible for their data security, too. Data that is sensitive or subject to rules and regulations needs the highest level of security. Strong encryption, or data encoding, is a surefire way to do it. In the cloud, encryption is applied to data in transit and data at rest to protect digital data confidentiality as it is transmitted via the Internet or other networks. Besides, it is effective to encrypt data yet before syncing it with the cloud. Now, encryption algorithms drive security by encoding data so that it can be viewed only upon decrypting it with the correct encryption key. Some cloud services providers manage keys for their customers, the others allow clients to take the fullest control over their keys. Then, it is a customer who controls the key and manages the data.
2. Access control and strong authentication.
It’s essential to provide secure access to applications. Cloud systems are exposed to the Internet, so strong authentication can be a great solution to resist unauthorized access. Strong passwords, two- or three-factor authentication can be used whenever and wherever possible. The username-and-password method has prevailed for a long time due to its convenience for an end user.
Yet, with the advance of computing power and cryptography algorithms, the username-and-password method is not secure anymore. Multi-factor authentication is a simple and secure way to authenticate physical users of cloud-based applications. It consists of two to three elements: a secret password, biometrics like a fingerprint or face authentication, and less frequently, the user’s physical possession like his or her device from which the cloud is accessed. Normally, this approach mitigates the password-related vulnerabilities. For example, customers using the AWS platform may take advantage of the authentication tool AWS Cognito that is responsible for ensuring the security of access to the cloud-based apps.
3. Separate data.
It is a good idea for companies to create data classification policies that would help separate data in accordance with the level of its sensitivity and adopt a common set of terms to be able to start classifying data and communicate clearly what data should, in this company, be referred to and handled as public, private, and sensitive.
Public. It is non-sensitive data that can be disclosed without restriction and be open to the general public. Public data is available to all employees as well as to various external to the company individuals and entities.
Private. The confidentiality of this data is preferred. Information associated with the private data, however, may be subject to open records disclosure. Usually, it is guarded for privacy considerations and can be exemplified as email correspondence, budget plans, employees’ IDs.
Restricted or sensitive. Confidentiality of sensitive data may be required by law, policy, or contractual obligation. It may need strict security protection and special authorization. This type of data is intended for limited and specific use by certain individuals or groups of people. Examples of sensitive data include patient health data, financial data, information protected by non-disclosure agreements or other private contracts, critical infrastructure information, information about credit card transaction or cardholder data.
4. Avoid storing sensitive and high-value data.
When you store data in the cloud, it gets very similar to storing it on other computers. Somebody can recommend to give up the idea at all. It is simple but not workable advice to avoid keeping information in the cloud as a matter of principle. In the first place, before transferring your data to the cloud, be it public, private or sensitive, you need to ensure that you understand the chosen cloud services provider’s policies concerning the issues of how it will be backed up, who and how will be able to access different data types and how the alleged breaches can be prevented and punished. And another good piece of advice will be, if possible, to opt for keeping your high-value data away from the cloud infrastructure. Otherwise, you must be sure your provider seeks compliance with industry standards.
Knowing data security soft spots in the cloud, you stand a good chance of succeeding in addressing all the cloud computing security issues. The cloud offers many opportunities to enterprises of different sizes and you should not miss out on them. To get started, investigate the conditions of cooperation with the cloud providers and go over the top risks and key safeguarding measures beforehand. Then, your experience with cloud services is bound to be positive.
© 2019, Vilmate LLC
for monthly digest